Curdleproofs

Curdleproofs is a zero-knowledge shuffle argument inspired by BG12.

Zero-knowledge shuffle arguments can have multiple use cases: - Secret leader election protocols - Message shuffling in mixnets - Universally verifiable electronic voting protocols

Documentation

The Curdleproofs protocol is described and proved secure in the Curdleproofs paper.

The user-facing documentation for this library can be found here.

In this library, we provide high-level protocol documentation for the core [curdleproofs] argument and its sub-arguments: - [same_scalar_argument] - [same_permutation_argument] - [grand_product_argument] - [inner_product_argument] - [same_multiscalar_argument]

There are also notes on the optimizations deployed to speed up the verifier.

Performance

The following table gives the proof size as well as timings for proving and verifying Curdleproofs on an Intel i7-8550U CPU @ 1.80GHz over the BLS12-381 curve:

| Shuffled Elements | Proving (ms) | Verification (ms) | Shuffling (ms): | Proof Size (bytes) | |------------------:|-------------:|------------------:|----------------:|-------------------:| | 60 | 177 | 22 | 28 | 3968 | | 124 | 304 | 27 | 57 | 4448 | | 252 | 560 | 35 | 121 | 4928 |

Example

The following example shows how to create and verify a shuffle proof that shuffles 28 elements:

```rust

// The #-commented lines are hidden in Rustdoc but not in raw

// markdown rendering, and contain boilerplate code so that the

// code in the README.md is actually run as part of the test suite.

#

use ark_std::rand::prelude::SliceRandom;

use ark_std::UniformRand;

use arkbls12381::Fr;

use arkbls12381::G1Affine;

use arkbls12381::G1Projective;

use ark_ec::ProjectiveCurve;

use ark_std::rand::{rngs::StdRng, SeedableRng};

use core::iter;

#

use curdleproofs::N_BLINDERS;

use curdleproofs::curdleproofs::{CurdleproofsProof, generate_crs};

use curdleproofs::util::shufflepermuteandcommitinput;

#

fn main() {

let mut rng = StdRng::seedfromu64(0u64);

// Number of elements we are shuffling let ell = 28;

// Construct the CRS let crs = generate_crs(ell);

// Generate some witnesses: the permutation and the randomizer let mut permutation: Vec = (0..ell as u32).collect(); permutation.shuffle(&mut rng); let k = Fr::rand(&mut rng);

// Generate some shuffle input vectors let vecR: Vec = iter::repeatwith(|| G1Projective::rand(&mut rng).intoaffine()) .take(ell) .collect(); let vecS: Vec = iter::repeatwith(|| G1Projective::rand(&mut rng).intoaffine()) .take(ell) .collect();

// Shuffle and permute inputs to generate output vectors and permutation commitments let (vecT, vecU, M, vecmblinders) = shufflepermuteandcommitinput(&crs, &vecR, &vecS, &permutation, &k, &mut rng);

// Generate a shuffle proof let shuffleproof = CurdleproofsProof::new( &crs, vecR.clone(), vecS.clone(), vecT.clone(), vecU.clone(), M, permutation, k, vecm_blinders, &mut rng, );

// Verify the shuffle proof assert!(shuffleproof .verify(&crs, &vecR, &vecS, &vecT, &vecU, &M, &mut rng) .isok());

}

```

Building & Running

This library can be compiled with cargo build and requires rust nightly.

You can run the tests using cargo test --release and the benchmarks using cargo bench.